am: 32c7000e

Change-Id: I57d3af7a930f77be74feba88d9875c9b5b90ab7c

am: a34781ae

Change-Id: Ic4103ff418e69f000198bb588f0cfccc578ba324

tombstoned allows dumpstate to install "intercepts" to java trace
requests for a given process. When an "intercept" is installed, all
trace output is redirected to a pipe provided by dumpstate instead
of the default location (usually in /data/anr or /data/tombstone).

Note that these processes are already granted "write" and "getattr"
on dumpstate:fifo_file in order to communicate with dumpstate; this
change adds "append" to the existing set of permissions.

Bug: 32064548
Test: manual
Change-Id: Iccbd78c59071252fef318589f3e55ece51a3c64c

am: 5e8fe834

Change-Id: Ibfe717b42fc26da2ec7876143b8cf0445a20eaec

am: e628cb5b

Change-Id: If2ce6fbf2b897d58da78430a7bae0fd6fb6e5a49

Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.

Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.

Bug: 32064548
Test: Manual

Merged-In: I70a3e6e230268d12b454e849fa88418082269c4f
Change-Id: Ib4b73fc130f4993c44d96c8d68f61b6d9bb2c7d5

am: f23230c8

Change-Id: I2214556e60abce3bf0801bc01d86e8c481e44c38

am: c3f4afef

Change-Id: I8810383b62d3c678c289867a0e17732242ee6679

am: 032c6d61

Change-Id: Ibc245f943ad12afbc71f0d13be915120d2388529

am: 9ac5d01f

Change-Id: I31b6b74e498efd2a6f6795f91d6a39a000886061

This reverts commit a015186f.

Bug: http://b/62101480
Change-Id: I8e889e3d50cf1749168acc526f8a8901717feb46

SELinux : avc:  denied  { find } for service=vrmanager pid=2364 uid=1027
scontext=u:r:nfc:s0 tcontext=u:object_r:vr_manager_service:s0
tclass=service_manager permissive=0

Test: manual
Bug: 35889571
Change-Id: If95bb5c286def99a0439b36a31b52fa9dfd4a2f4
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>

am: 0bcb92a5

Change-Id: I86ba3626798b4f1afc49c767ad756c8a3b1f9e75

am: 4a608d31

Change-Id: I1ac7b6ddaa3f6c7ee88426cf5ec6e6dec7bc8767

Fix the following denial:
    avc: denied { append } for pid=1093 comm="mediaextractor" path="pipe:[68438]" dev="pipefs" ino=68438 scontext=u:r:mediaextractor:s0 tcontext=u:r:dumpstate:s0 tclass=fifo_file permissive=1 ppid=1 pcomm="init" pgid=1 pgcomm="init"

Bug: http://b/38444258
Test: none
Change-Id: I58162e3a28b744a58396e77d6b0e2becb5633d6a

am: ca7d90ca

Change-Id: Ibe4770026852338dcfde327857ccffb1fc91a5a0

system_server: replace sys_resource with sys_ptrace am: 3d8dde0e am: dddbd2f3 am: 5ee08053 am: 6b3ef921
am: ed21f855

Change-Id: I629201783c38c41032960e633f2a9f53eeadf8b9

am: de5db3ab

Change-Id: If61aa850ab0f6060ec7a863cc0107f68f1db9400

am: 6b3ef921

Change-Id: Iefc3436c532f5f291345e3d01a1cbe175d69e619

am: 5ee08053

Change-Id: I530872c3d9a8ddf5a03353b27e75ea1043cd2ab2

am: dddbd2f3

Change-Id: I517d7bbd415e28d2ba7719f17c1ddcc7c28f20a0

am: 3d8dde0e

Change-Id: I19cb50ee62d217f025bb7fcf535257dac3b3610e

Commit https://android.googlesource.com/kernel/common/+/f0ce0eee added
CAP_SYS_RESOURCE as a capability check which would allow access to
sensitive /proc/PID files. However, in an SELinux based world, allowing
this access causes CAP_SYS_RESOURCE to duplicate what CAP_SYS_PTRACE
(without :process ptrace) already provides.

Use CAP_SYS_PTRACE instead of CAP_SYS_RESOURCE.

Test: Device boots, functionality remains identical, no sys_resource
denials from system_server.
Bug: 34951864
Bug: 38496951
Change-Id: I04d745b436ad75ee1ebecf0a61c6891858022e34
(cherry picked from commit 44866954)

Test: manual
Bug: 37014702
Change-Id: Id43dc7a8506fe60015c2f82242ba45cf85d3e74b

am: cf611a3b

Change-Id: I4bcad7c62a3b32868cfcd6496f608c5905ab79f7

am: e3be5d6b

Change-Id: I6f3544a3803217bd6380ebb9d7d0b84c403e60c2

am: 1a6fabea

Change-Id: I3b1a74f387cbf7388feb17f87f749964816df302

am: c4055f0d

Change-Id: I4f307d49476c1e84d8dd17d02f383d7c10a959fc

Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.

Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).

Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
Merged-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea

am: 7469d816

Change-Id: Ie36c6266cc3387bba02974fb65614c75c8bd1425

am: fcfda81b

Change-Id: Iefe805a99749c29865b7f871cd4fc3fe11e1e536

This reverts commit 8c60f74d.

Bug: 38242876
Change-Id: Iba5a94d16901dc0c52f1941972c26877baa4805c

am: c1e8f825

Change-Id: I2db7693bb8bb77e396602caa37286090791a4689

am: 216b377d

Change-Id: I2ff6397f145424266cd1091e338323cff283397c

Node for /dev/uhid driver needs to be accessible
by shell for the 'hid' command in frameworks/base/cmds.
This CL is in support of another CL c/2048848, topic
'Refactor hid command in /frameworks/base/cmds'
in internal master.

Bug: 34052337
Test: CTS test for GamepadTestCase#testButtonA; Checked that
cat /dev/uhid does not raise permission error.

Change-Id: I861c1226b4a67272af7c2a93d7811bf87a083478